spree_gateway
spree_gateway copied to clipboard
spree
Braintree cvv_response_code does not match with the verification cvv_response_code
I understand the cvv_response_code shows up correctly in Braintree's verifications but I am wondering if there is any workaround to having Braintree's transactions show and support the correct cvv_response_code. Up until now, every transaction I have had through braintree shows up as risky and all my transactions have cvv_response_code "I" .
This was an earlier post I found explaining the same issue. https://groups.google.com/forum/#!topic/spree-user/VQXNkw10OMU
The thread you are linking to is technically a different issue. Back then the Braintree implementation for Spree Gateway was not indicating that new cards should be verified. That has since changed.
I had another person contact me about this via e-mail. I'm not using Spree 3.0 but I looked into it for him.
What you're experiencing likely has to do with the simple approach Spree takes with regard to CVV risk. Payments are considered non-risky if the cvv response is M, nil or if there is a cvv_response_message. This does not take into account whether or not a card has already been verified by the payment processor.
See the current implementation for is_cvv_risky? here: https://github.com/spree/spree/blob/5c9267dcfddd40d0ff06de5a15c1b6d455fb1ff2/core/app/models/spree/payment.rb#L158
I believe the issue is that CVV information is discarded after a new card is authorized and the payment method token (gateway_payment_profile_id in spree_credit_cards) is used from then on. As such all future interactions with that credit card will return "risky" codes, despite being verified. Perhaps this is a quirk with Braintree but solving it should be possible within Spree. I think that with Braintree a verified credit card that has a valid gateway_payment_profile_id should be excluded from the risky flag.
You could probably accomplish this for yourself by adding the following line (untested) to a decorator for Spree::Payment's implementation of is_cvv_risky?
def is_cvv_risky?
return false if source.present? and source.class.name == "Spree::CreditCard" and source.gateway_payment_profile_id.present?
return false if cvv_response_code == "M"
return false if cvv_response_code.nil?
return false if cvv_response_message.present?
return true
end
Again this is untested code so you might need to tweak it, but hopefully it gets the point across. I'm not using a version of Spree that uses the risky flag so I cannot test how well this works.
I have this issue with Braintree in Spree 2.4. I also verified it is a problem in an uncustomized store in Spree 3.0 with Braintree. The above fix doesn't quite work, as the risky scope needs to be fixed too, so I ended up with the following that I tested to work with my gateway:
scope :risky, -> { where("avs_response IN (?) OR (cvv_response_code IS NOT NULL and cvv_response_code != 'M' and cvv_response_code != 'I') OR state = 'failed'", RISKY_AVS_CODES) }
def is_cvv_risky?
return false if cvv_response_code == "M" || cvv_response_code == "I"
return false if cvv_response_code.nil?
return false if cvv_response_message.present?
return true
end
It probably needs some refactoring though as it won't work for gateways not using payment tokens. I don't know if other payment token gateways besides Braintree have problems either.
Hi guys, If you're using Braintree I would recommend you look at the official Braintree v.zero extension https://github.com/spree-contrib/spree_braintree_vzero
